ICO hits Worcestershire and North Somerset councils with £140,000 in fines

The Information Commissioner's Office (ICO) has fined Worcestershire and North Somerset councils a total of £140,000 after staff at both local authorities sent sensitive data to the wrong recipients via email.

Worcestershire County Council was fined £80,000 over an incident in March 2011 when a staff member emailed sensitive data on a number of vulnerable people to 23 unintended recipients on a contact list.

All those on the list worked for registered organisations linked to the council, which was able to track down and destroy the data after it had been sent.

Meanwhile, North Somerset Council was fined £60,000 after an employee sent five emails containing confidential information to the wrong NHS employee between November and December 2010.

The case is particularly damning as the NHS employee who received the data told the council worker of the mistake, but received three further emails containing sensitive information.

Two of the council's assistant directors were made aware of the problem and the employee was verbally informed about the incidents on 9 December. However, a fifth email was sent later that same day. The NHS confirmed that it deleted the data it was sent.

Information commissioner Christopher Graham warned that the poor email handling shown by both councils was of "great concern" and that the fines would have been higher if the data had not been traceable to other public sector organisations.

"There is too much of this sort of thing going on across local government. People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure," he said.

"It was fortunate that in both cases the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties."

The ICO is currently asking the Ministry of Justice for the power to carry out compulsory audits of local authorities to improve data handling among government organisations. Currently councils can choose to opt out of an audit.

The incidents this week underline the dangers of email breaches. The ICO issued a fine of £120,000 to Surrey County Council in June after personal information was emailed to the wrong recipients on three occasions.

Last week it was revealed that local authorities have been responsible for over 1,000 data loss incidents since 2008, yet only 55 of these were reported to the ICO.